public inbox for gcc-bugs@sourceware.org help / color / mirror / Atom feed
From: "cvs-commit at gcc dot gnu.org" <gcc-bugzilla@gcc.gnu.org> To: gcc-bugs@gcc.gnu.org Subject: [Bug sanitizer/102656] [11 Regression] ICE on coroutines on -fsanitize=address -O1 since r11-1613-g788b962aa00959e8 Date: Tue, 10 May 2022 08:24:29 +0000 [thread overview] Message-ID: <bug-102656-4-UohfiFQZ2b@http.gcc.gnu.org/bugzilla/> (raw) In-Reply-To: <bug-102656-4@http.gcc.gnu.org/bugzilla/> https://gcc.gnu.org/bugzilla/show_bug.cgi?id=102656 --- Comment #9 from CVS Commits <cvs-commit at gcc dot gnu.org> --- The releases/gcc-10 branch has been updated by Jakub Jelinek <jakub@gcc.gnu.org>: https://gcc.gnu.org/g:f2549d3bc752bf832ca6de9830ff50b3f23143ab commit r10-10686-gf2549d3bc752bf832ca6de9830ff50b3f23143ab Author: Jakub Jelinek <jakub@redhat.com> Date: Sat Feb 19 09:03:57 2022 +0100 asan: Mark instrumented vars addressable [PR102656] We ICE on the following testcase, because the asan1 pass decides to instrument <retval>.x = 0; and does that by _13 = &<retval>.x; .ASAN_CHECK (7, _13, 4, 4); <retval>.x = 0; and later sanopt pass turns that into: _39 = (unsigned long) &<retval>.x; _40 = _39 >> 3; _41 = _40 + 2147450880; _42 = (signed char *) _41; _43 = *_42; _44 = _43 != 0; _45 = _39 & 7; _46 = (signed char) _45; _47 = _46 + 3; _48 = _47 >= _43; _49 = _44 & _48; if (_49 != 0) goto <bb 10>; [0.05%] else goto <bb 9>; [99.95%] <bb 10> [local count: 536864]: __builtin___asan_report_store4 (_39); <bb 9> [local count: 1073741824]: <retval>.x = 0; The problem is during expansion, <retval> isn't marked TREE_ADDRESSABLE, even when we take its address in (unsigned long) &<retval>.x. Now, instrument_derefs has code to avoid the instrumentation altogether if we can prove the access is within bounds of an automatic variable in the current function and the var isn't TREE_ADDRESSABLE (or we don't instrument use after scope), but we do it solely for VAR_DECLs. I think we should treat RESULT_DECLs exactly like that too, which is what the following patch does. I must say I'm unsure about PARM_DECLs, those can have different cases, either they are fully or partially passed in registers, then if we take parameter's address, they are in a local copy inside of a function and so work like those automatic vars. But if they are fully passed in memory, we typically just take address of the slot and in that case they live in the caller's frame. It is true we don't (can't) put any asan padding in between the arguments, so all asan could detect in that case is if caller passes fewer on stack arguments or smaller arguments than callee accepts. Anyway, as I'm unsure, I haven't added PARM_DECLs to that case. And another thing is, when we actually build_fold_addr_expr, we need to mark_addressable the inner if it isn't addressable already. 2022-02-19 Jakub Jelinek <jakub@redhat.com> PR sanitizer/102656 * asan.c (instrument_derefs): If inner is a RESULT_DECL and access is known to be within bounds, treat it like automatic variables. If instrumenting access and inner is {VAR,PARM,RESULT}_DECL from current function and !TREE_STATIC which is not TREE_ADDRESSABLE, mark it addressable. (cherry picked from commit 9e3bbb4a8024121eb0fa675cb1f074218c1345a6)
prev parent reply other threads:[~2022-05-10 8:24 UTC|newest] Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top 2021-10-08 21:03 [Bug c++/102656] New: ICE on coroutines on -fsanitize=address -O1 dprokoptsev at gmail dot com 2021-10-08 21:30 ` [Bug c++/102656] " dprokoptsev at gmail dot com 2021-10-11 10:39 ` [Bug c++/102656] [11/12 Regression] ICE on coroutines on -fsanitize=address -O1 since r11-1613-g788b962aa00959e8 marxin at gcc dot gnu.org 2021-11-05 13:25 ` rguenth at gcc dot gnu.org 2022-02-17 16:17 ` [Bug sanitizer/102656] " jakub at gcc dot gnu.org 2022-02-19 8:05 ` cvs-commit at gcc dot gnu.org 2022-02-19 8:09 ` [Bug sanitizer/102656] [11 " jakub at gcc dot gnu.org 2022-03-29 5:53 ` cvs-commit at gcc dot gnu.org 2022-03-30 8:14 ` jakub at gcc dot gnu.org 2022-05-10 8:24 ` cvs-commit at gcc dot gnu.org [this message]
Reply instructions: You may reply publicly to this message via plain-text email using any one of the following methods: * Save the following mbox file, import it into your mail client, and reply-to-all from there: mbox Avoid top-posting and favor interleaved quoting: https://en.wikipedia.org/wiki/Posting_style#Interleaved_style * Reply using the --to, --cc, and --in-reply-to switches of git-send-email(1): git send-email \ --in-reply-to=bug-102656-4-UohfiFQZ2b@http.gcc.gnu.org/bugzilla/ \ --to=gcc-bugzilla@gcc.gnu.org \ --cc=gcc-bugs@gcc.gnu.org \ /path/to/YOUR_REPLY https://kernel.org/pub/software/scm/git/docs/git-send-email.html * If your mail client supports setting the In-Reply-To header via mailto: links, try the mailto: linkBe sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).